Silent Push, a cybersecurity research firm, has unveiled a concerning trend they term “infrastructure laundering,” where threat actors exploit mainstream cloud providers such as Amazon Web Services (AWS) and Microsoft Azure to mask their illicit activities.
This practice involves renting IP addresses from legitimate hosting providers and mapping them to criminal websites using sophisticated DNS techniques like CNAME chains.

The findings highlight the challenges faced by cloud providers in combating these activities, as new IPs are continually acquired even after takedowns.
The FUNNULL content delivery network (CDN) serves as a prime example of this phenomenon.
FUNNULL has reportedly rented over 1,200 IPs from Amazon and nearly 200 from Microsoft, using fraudulent or stolen accounts to bypass detection.
These IPs are then linked to scams such as retail phishing, investment fraud, and money laundering schemes hosted on shell websites.

Despite efforts by AWS and Azure to suspend fraudulent accounts, the rapid pace at which new IPs are acquired creates a persistent threat.
Technical Challenges
The infrastructure laundering process relies on intermediaries that obscure the origins of criminal activities.
Unlike traditional “bulletproof hosting,” where entire infrastructures are designed to resist takedown efforts, infrastructure laundering leverages the credibility of mainstream cloud providers.
This makes it difficult for defenders to block malicious traffic without disrupting legitimate services hosted on the same platforms.
Silent Push’s research revealed that FUNNULL’s CDN hosts over 200,000 unique domains, with 95% generated through Domain Generation Algorithms (DGAs).
These domains support scams targeting brands like Bwin, Chanel, and eBay.
Additionally, FUNNULL has been linked to supply chain attacks, including one involving the popular JavaScript library polyfill.io, which affected over 110,000 websites.
The investigation also uncovered a connection between FUNNULL and transnational organized crime groups, including Chinese Triads.
By blending hosting services across jurisdictions such as the U.S., Hong Kong, and Southeast Asia, these networks exploit gaps in international collaboration on cybersecurity issues.
Cloud Providers Under Scrutiny
AWS has responded to Silent Push’s findings by emphasizing its efforts to identify and suspend fraudulent accounts linked to FUNNULL’s activities.
The company disputes claims that it enables such abuse and asserts that it incurs damages from these fraudulent activities.
AWS highlighted the complexity of detecting abuse in real-time due to the technical intricacies of DNS architecture.
Silent Push acknowledges the challenges faced by cloud providers but raises critical questions about their ability to monitor and prevent infrastructure laundering effectively.
The firm argues that better tracking of CNAME chains could help identify illicit IP rentals more quickly.
The report underscores the need for coordinated efforts between cloud providers, cybersecurity firms, and law enforcement to address infrastructure laundering.
Silent Push continues to track this evolving threat and advocates for improved detection protocols using tools like their Indicators of Future Attacks (IOFA) feeds.
As cybercriminals refine their methods, infrastructure laundering poses significant risks not only to targeted brands but also to the broader cybersecurity landscape.
The findings call for enhanced regulatory scrutiny and technological innovation to close the gaps exploited by these networks.